Apple Claims Former Engineer Exploited Authentication Flaw to Steal Trade Secrets After Joining OpenAI

Apple alleges that Chang Liu, a former system electrical engineer, discovered an unknown authentication vulnerability in the company's network storage system and exploited it for weeks after leaving for OpenAI, downloading dozens of confidential hardware files and engineering documentation.
According to Apple's complaint, reported by TechCrunch, Liu realized in February 2026 that his access credentials to Apple's cloud-based repository — which contains engineering files, project documentation, and proprietary technical specifications — had never been properly revoked. The vulnerability, described in the filing as a zero-day authentication bug (a security flaw unknown to Apple at the time of exploit), allowed Liu to continue downloading files despite his formal departure.
Apple's server logs show no evidence that others exploited the same flaw, though the company concedes the vulnerability's design could theoretically have allowed a small number of other former or current employees through the same gap. The company patched the vulnerability once Liu's access was discovered and deactivated his credentials. Apple declined to explain publicly how the bug functioned technically or when Liu's access should have been terminated.
Over several weeks, Liu allegedly downloaded confidential material including descriptions of unreleased products, internal engineering presentations, technical specifications, and manufacturing process information, per the complaint. The lawsuit, filed against OpenAI and naming both Liu and Peng as defendants, also alleges that Liu failed to return his Apple-issued work laptop after departure. Apple further claims Liu used a laptop belonging to Yu-Ting Peng, another Apple employee who later joined OpenAI, to access systems using her still-active credentials before the network storage vulnerability gave him a more direct route in.
Apple's filing alleges that senior OpenAI leadership directed the underlying trade secret misconduct, according to TechCrunch's July 10 reporting. A companion TechCrunch piece from July 13 notes the complaint includes allegations that OpenAI employees joked internally about unauthorized Apple system access — a detail that, if proven true, would suggest organizational awareness rather than isolated wrongdoing. The full complaint is available on DocumentCloud.
What makes this case noteworthy is the combination of technical and human factors at play. A zero-day flaw in network storage authentication that went undetected long enough for a departed employee to discover and exploit it reflects an offboarding and identity management failure as much as a security gap — the kind of issue that should surface during routine access audits, not through litigation months later. Apple's own account acknowledges the flaw had broader exposure potential, even if Liu was the only person documented to have used it.
The laptop-sharing allegation represents a more conventional insider-threat vector: a colleague's credentials and device, still valid long after their identity should have been deprovisioned from corporate systems. This is a well-known pattern in large organizations, and many have spent years hardening against it through automated access controls and just-in-time permissions. Apple's complaint suggests those controls either didn't catch this scenario or were bypassed.
Neither company has filed a detailed public response to the technical allegations. The case sits within a broader wave of trade secret litigation involving AI talent movement between hardware manufacturers and AI research labs, but the involvement of an actual authentication vulnerability — rather than just documents carried away or retained in memory — sets it apart from more typical trade-secret and noncompete claims in the sector.
OpenAI and Apple have not commented publicly beyond their court filings.


